RE: Apache 1.3.26 seg faults & bus errors

I am not running Linux btw, sorry, I left that out, it's FreeBSD 4.5-RELEASE
with
the latest security patches.

-Rory

-----Original Message-----
From: Ryan Sweat [mailto:rsweat@xxxxxxxxx]
Sent: Friday, October 25, 2002 10:52 PM
To: rsavage@xxxxxxxxxxxxxx
Cc: incidents@xxxxxxxxxxxxxxxxx
Subject: Re: Apache 1.3.26 seg faults & bus errors


It would be helpful if you could paste part of the access log or other
packet capture which signifies what data is being sent to apache causing
this to happen.

RedHat's apache is known to have issues with CodeRed attempts.  The
solution is to upgrade to Apache 2.x or 1.3.27.  RedHat has not released
any errata that fixes this bug, you must install from source, unless of
course you have RedHat 8 which ships with Apache 2.x.

There was a thread on this list just last week pertaining to this.
http://online.securityfocus.com/archive/75/296184/2002-10-16/2002-10-22/1

Ryan

On Fri, 2002-10-25 at 10:59, rsavage@xxxxxxxxxxxxxx wrote:
> We upgraded to apache 1.3.26 from apache 1.3.24 during the time the
> `Apache Web Server Chunk Handling Vulnerability' was released, but
> still seeing these:
>
>
> [Fri Aug 23 08:30:35 2002] [notice] child pid 50775 exit signal
> Segmentation fault (11)
> [Fri Aug 23 08:49:31 2002] [notice] child pid 51990 exit signal
> Segmentation fault (11)
> [Fri Aug 23 09:31:56 2002] [notice] child pid 55712 exit signal
> Segmentation fault (11)
> [Fri Aug 23 10:32:20 2002] [notice] child pid 60289 exit signal
> Segmentation fault (11)
> [Fri Aug 23 10:45:33 2002] [notice] child pid 61593 exit signal
> Segmentation fault (11)
> [Fri Aug 23 10:55:37 2002] [notice] child pid 62832 exit signal Bus error
> (10)
> [Fri Aug 23 11:43:24 2002] [notice] child pid 65789 exit signal Bus error
> (10)
> [Fri Aug 23 12:14:07 2002] [notice] child pid 69531 exit signal
> Segmentation fault (11)
> [Fri Aug 23 13:04:01 2002] [notice] child pid 73722 exit signal
> Segmentation fault (11)
>
> dmesg.yesterday:pid 32987 (httpd), uid 65534: exited on signal 10
> dmesg.yesterday:Oct 22 14:07:09 robin /kernel: pid 32987 (httpd), uid
> 65534: exited on signal 10
> messages:Oct 22 14:07:09 robin /kernel: pid 32987 (httpd), uid 65534:
> exited on signal 10
>
> Server version: Apache/1.3.26 (Unix)
> Server built:   Jun 20 2002 10:14:35
>
> Compiled-in modules:
>   http_core.c
>   mod_env.c
>   mod_log_config.c
>   mod_mime.c
>   mod_negotiation.c
>   mod_status.c
>   mod_include.c
>   mod_autoindex.c
>   mod_dir.c
>   mod_cgi.c
>   mod_asis.c
>   mod_imap.c
>   mod_actions.c
>   mod_userdir.c
>   mod_alias.c
>   mod_rewrite.c
>   mod_access.c
>   mod_auth.c
>   mod_proxy.c
>   mod_usertrack.c
>   mod_unique_id.c
>   mod_setenvif.c
>   mod_perl.c
> suexec: disabled; invalid wrapper /etc/httpd/bin/suexec
>
>
> Is there something else out there, another DoS attack?
>
> --
> Rory Savage, Senior Systems Administrator
> Nando Media: www.nandomedia.com
> email: rsavage@xxxxxxxxxxxxxx
> aol im (PiasElihU)
> 919-836-5987 (Office)
>
>
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com